Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
ac8de07fd1 | ||
|
|
09b815c470 | ||
|
|
0ce0e69d98 | ||
|
|
dba83feec8 | ||
|
|
c9017eb417 | ||
|
|
4ef054abe6 | ||
|
|
9789b6ae3b | ||
|
|
fd44a8c1a7 | ||
|
|
341f810bd6 | ||
|
|
731c4a9c64 | ||
|
|
9c91cd8af6 |
@@ -1,4 +1,4 @@
|
||||
FROM aquasec/trivy:latest
|
||||
FROM aquasec/trivy:0.18.1
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
156
README.md
156
README.md
@@ -107,10 +107,6 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -127,6 +123,152 @@ jobs:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
### Using Trivy to scan your private registry
|
||||
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
|
||||
|
||||
#### Docker Hub registry
|
||||
Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
|
||||
You don't need to set ENV vars when downloading from a public repository.
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
TRIVY_USERNAME: Username
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### AWS ECR (Elastic Container Registry)
|
||||
Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
|
||||
You can use [AWS CLI's ENV Vars][env-var].
|
||||
|
||||
[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
AWS_ACCESS_KEY_ID: key_id
|
||||
AWS_SECRET_ACCESS_KEY: access_key
|
||||
AWS_DEFAULT_REGION: us-west-2
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### GCR (Google Container Registry)
|
||||
Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
|
||||
|
||||
If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
#### Self-Hosted
|
||||
BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
|
||||
if you want to use 80 port, use NonSSL `TRIVY_NON_SSL=true`
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
env:
|
||||
TRIVY_USERNAME: Username
|
||||
TRIVY_PASSWORD: Password
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
## Customizing
|
||||
|
||||
### inputs
|
||||
@@ -142,13 +284,15 @@ Following inputs can be used as `step.with` keys:
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`) |
|
||||
| `template` | String | | Output template (`@/contrib/sarif.tpl`, `@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when vulnerabilities were found |
|
||||
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to be displayed |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `cache-dir` | String | | Cache directory |
|
||||
| `timeout` | String | `2m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy
|
||||
|
||||
@@ -57,6 +57,10 @@ inputs:
|
||||
description: 'timeout (default 2m0s)'
|
||||
required: false
|
||||
default: ''
|
||||
ignore-policy:
|
||||
description: 'filter vulnerabilities with OPA rego language'
|
||||
required: false
|
||||
default: ''
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: "Dockerfile"
|
||||
@@ -75,3 +79,4 @@ runs:
|
||||
- '-l ${{ inputs.input }}'
|
||||
- '-m ${{ inputs.cache-dir }}'
|
||||
- '-n ${{ inputs.timeout }}'
|
||||
- '-o ${{ inputs.ignore-policy }}'
|
||||
|
||||
24
entrypoint.sh
Normal file → Executable file
24
entrypoint.sh
Normal file → Executable file
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:" o; do
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
@@ -44,6 +44,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:" o; do
|
||||
n)
|
||||
export timeout=${OPTARG}
|
||||
;;
|
||||
o)
|
||||
export ignorePolicy=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@@ -58,6 +61,11 @@ if [ $input ]; then
|
||||
fi
|
||||
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
|
||||
|
||||
GLOBAL_ARGS=""
|
||||
if [ $cacheDir ];then
|
||||
GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
|
||||
fi
|
||||
|
||||
ARGS=""
|
||||
if [ $format ];then
|
||||
ARGS="$ARGS --format $format"
|
||||
@@ -81,14 +89,18 @@ if [ $output ];then
|
||||
ARGS="$ARGS --output $output"
|
||||
fi
|
||||
if [ $skipDirs ];then
|
||||
ARGS="$ARGS --skip-dirs $skipDirs"
|
||||
fi
|
||||
if [ $cacheDir ];then
|
||||
ARGS="$ARGS --cache-dir $cacheDir"
|
||||
for i in $(echo $skipDirs | tr "," "\n")
|
||||
do
|
||||
ARGS="$ARGS --skip-dirs $i"
|
||||
done
|
||||
fi
|
||||
if [ $timeout ];then
|
||||
ARGS="$ARGS --timeout $timeout"
|
||||
fi
|
||||
if [ $ignorePolicy ];then
|
||||
ARGS="$ARGS --ignore-policy $ignorePolicy"
|
||||
fi
|
||||
|
||||
echo "Running trivy with options: " --no-progress "${ARGS}" "${artifactRef}"
|
||||
trivy ${scanType} --no-progress $ARGS ${artifactRef}
|
||||
echo "Global options: " "${GLOBAL_ARGS}"
|
||||
trivy $GLOBAL_ARGS ${scanType} --no-progress $ARGS ${artifactRef}
|
||||
|
||||
Reference in New Issue
Block a user